refactor(global): remove useless code related to CSRF (#387)

2016-12-16 14:00:57 +13:00 · 2016-12-16 14:00:57 +13:00 · d9f6124609
parent 5b16deb73e
commit d9f6124609
3 changed files with 1 additions and 61 deletions
--- a/api/csrf.go
+++ b/api/csrf.go
@ -1,48 +0,0 @@
-package main
-
-import (
-	"github.com/gorilla/csrf"
-	"github.com/gorilla/securecookie"
-	"io/ioutil"
-	"log"
-	"net/http"
-)
-
-const keyFile = "authKey.dat"
-
-// newAuthKey reuses an existing CSRF authkey if present or generates a new one
-func newAuthKey(path string) []byte {
-	var authKey []byte
-	authKeyPath := path + "/" + keyFile
-	data, err := ioutil.ReadFile(authKeyPath)
-	if err != nil {
-		log.Print("Unable to find an existing CSRF auth key. Generating a new key.")
-		authKey = securecookie.GenerateRandomKey(32)
-		err := ioutil.WriteFile(authKeyPath, authKey, 0644)
-		if err != nil {
-			log.Fatal("Unable to persist CSRF auth key.")
-			log.Fatal(err)
-		}
-	} else {
-		authKey = data
-	}
-	return authKey
-}
-
-// newCSRF initializes a new CSRF handler
-func newCSRFHandler(keyPath string) func(h http.Handler) http.Handler {
-	authKey := newAuthKey(keyPath)
-	return csrf.Protect(
-		authKey,
-		csrf.HttpOnly(false),
-		csrf.Secure(false),
-	)
-}
-
-// newCSRFWrapper wraps a http.Handler to add the CSRF token
-func newCSRFWrapper(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-CSRF-Token", csrf.Token(r))
-		h.ServeHTTP(w, r)
-	})
-}
--- a/api/handler.go
+++ b/api/handler.go
@ -10,7 +10,7 @@ import (
 	"os"
 )

-// newHandler creates a new http.Handler with CSRF protection
+// newHandler creates a new http.Handler
 func (a *api) newHandler(settings *Settings) http.Handler {
 	var (
 		mux         = mux.NewRouter()
@ -37,14 +37,9 @@ func (a *api) newHandler(settings *Settings) http.Handler {
 	mux.HandleFunc("/templates", func(w http.ResponseWriter, r *http.Request) {
 		templatesHandler(w, r, a.templatesURL)
 	})
-	// mux.PathPrefix("/dockerapi/").Handler(http.StripPrefix("/dockerapi", handler))
 	mux.PathPrefix("/dockerapi/").Handler(http.StripPrefix("/dockerapi", addMiddleware(handler, a.authenticate, secureHeaders)))
-
 	mux.PathPrefix("/").Handler(http.StripPrefix("/", fileHandler))

-	// CSRF protection is disabled for the moment
-	// CSRFHandler := newCSRFHandler(a.dataPath)
-	// return CSRFHandler(newCSRFWrapper(mux))
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		mux.ServeHTTP(w, r)
 	})
--- a/app/app.js
+++ b/app/app.js
@ -464,8 +464,6 @@ angular.module('portainer', [
    });

    // The Docker API likes to return plaintext errors, this catches them and disp
-    // $httpProvider.defaults.xsrfCookieName = 'csrfToken';
-    // $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
    $httpProvider.interceptors.push(function() {
      return {
        'response': function(response) {
@ -477,11 +475,6 @@ angular.module('portainer', [
              time: 10000
            });
          }
-          // CSRF protection is disabled for the moment
-          // var csrfToken = response.headers('X-Csrf-Token');
-          // if (csrfToken) {
-          //   document.cookie = 'csrfToken=' + csrfToken;
-          // }
          return response;
        }
      };